OpenWrt
Jump to navigation
Jump to search
1 OpenWrt
1.1 OpenVPN
1.1.1 setup
opkg update opkg install openvpn-openssl openvpn-easy-rsa
- /etc/easy-rsa/vars
export KEY_COUNTRY="CH" export KEY_PROVINCE="SG" export KEY_CITY="St. Gall" export KEY_ORG="Bitbull Tech" export KEY_EMAIL="crn@bitbull.ch" export KEY_OU="Office" export KEY_NAME="work.bitbull.ch"
cd /etc/easy-rsa/ source /etc/easy-rsa/keys clean-all pkitool --initca ## equivalent to the 'build-ca' script pkitool --server fw3 ## equivalent to the 'build-key-server' script build-dh ## and grab some coffee cd $KEY_DIR mkdir -p /etc/openvpn cp ca.crt fw3.* dh2048.pem /etc/openvpn/ uci set network.vpn0=interface uci set network.vpn0.ifname=tun0 uci set network.vpn0.proto=none uci commit network; /etc/init.d/network reload uci add firewall rule uci set firewall.@rule[-1].name=Allow-OpenVPN-Inbound uci set firewall.@rule[-1].target=ACCEPT uci set firewall.@rule[-1].src=* uci set firewall.@rule[-1].proto=udp uci set firewall.@rule[-1].dest_port=1194 uci add firewall zone uci set firewall.@zone[-1].name=vpn uci set firewall.@zone[-1].input=ACCEPT uci set firewall.@zone[-1].forward=ACCEPT uci set firewall.@zone[-1].output=ACCEPT uci set firewall.@zone[-1].network=vpn0 uci commit firewall /etc/init.d/firewall reload
- /etc/config/openvpn
config openvpn 'myvpn' option enabled '1' option dev 'tun' option proto 'udp' option log '/tmp/openvpn.log' option verb '3' option ca '/etc/openvpn/ca.crt' option cert '/etc/openvpn/fw3.crt' option key '/etc/openvpn/fw3.key' option clr_verify '/etc/easy-rsa/keys/clr.pem' option server '10.8.0.0 255.255.255.0' option port '1194' option keepalive '10 120' option dh '/etc/openvpn/dh2048.pem' option comp_lzo 'adaptive' list push 'route 192.168.11.0 255.255.255.0'
/etc/init.d/openvpn start sleep 3 ps -w | grep openvpn ifconfig | grep tun0 netstat -an | grep 1194 cat /tmp/openvpn.log
- /etc/easy-rsa/keys/client-ovpn-create.sh
#!/bin/sh [ $# -ne 1 ] && exit 1 CONF=$1.ovpn test -r $CONF && exit 1 echo "client dev tun proto udp remote myvpn.bitbull.ch 1194 resolv-retry infinite nobind persist-key persist-tun comp-lzo verb 3 <ca> $(cat ca.crt) </ca> <cert> $(cat $1.crt) </cert> <key> $(cat $1.key) </key>" > $PWD/$CONF
pkitool user1.bitbull.ch ## equivalent to the 'build-key' script pkitool --pass user2.bitbull.ch ## protect client cert with password sh client-ovpn-create.sh user1.bitbull.ch sh client-ovpn-create.sh user2.bitbull.ch ls -l *.ovpn
1.1.2 revoke client cert
cd /etc/easy-rsa . vars revoke-full user1.bitbull.ch cp /etc/easy-rsa/keys/crl.pem /etc/openvpn/ grep crl /etc/config/openvpn option crl_verify '/etc/openvpn/crl.pem'
/etc/init.d/openvpn restart